
=================================================================================
Access-list case with no explict "deny any" on end of access-list "CONNECT" - bad
=================================================================================

## firewall B partial config
router ospf
 ospf router-id 192.168.24.1
 log-adjacency-changes detail
 auto-cost reference-bandwidth 40000
 timers throttle spf 200 1000 10000
 redistribute connected metric 20 route-map CONNECT
 passive-interface em1
 area 0.0.0.0 authentication message-digest
!
access-list CONNECT seq 10 permit 10.24.194.0/24
!
route-map CONNECT permit 10
 match ip address CONNECT
!


## OSPF routes showing on adjacent firewall A
somefirewall.somedomain.local# show ip route ospf
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

O>* 10.24.10.0/24 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06
O>* 10.24.194.0/24 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06       ### Allowed in redistribute ACL. This is fine.
O>* 10.24.224.0/29 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06       ### Connected route on firewall B not in OSPF or being redistributed. Should not appear!
O   10.254.40.0/28 [110/4] is directly connected, em0.40, weight 1, 00:13:23          ### This is fine (firewall A LAN1)
O   10.254.100.0/24 [110/4] is directly connected, em0.100, weight 1, 00:13:23        ### This is fine (firewall A LAN2)
O>* 10.255.195.1/32 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06      ### VPN tunnel IPs. Don't want to be seeing it
O>* 10.255.196.1/32 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06      ### VPN tunnel IPs. Don't want to be seeing it
O>* 10.255.198.2/32 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06      ### VPN tunnel IPs. Don't want to be seeing it
O>* 103.XXX.XXX.1/32 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06     ### firewall B's WAN2 route (PPP) - should not appear!
O>* 192.168.24.0/24 [110/8004] via 10.255.195.2, ovpns2 onlink, weight 1, 00:13:23    ### This is fine (firewall B LAN)
O   192.168.57.0/24 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06      ### firewall B's lab connectivity - should not appear!
O>* 194.XXX.XXX.28/30 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06    ### firewall B's WAN1 route - should not appear!!





================================================================================
Access-list case with explicit "deny any" on end of access-list "CONNECT" - fine
================================================================================

## firewall B partial config
router ospf
 ospf router-id 192.168.24.1
 log-adjacency-changes detail
 auto-cost reference-bandwidth 40000
 timers throttle spf 200 1000 10000
 redistribute connected metric 20 route-map CONNECT
 passive-interface em1
 area 0.0.0.0 authentication message-digest
!
access-list CONNECT seq 10 permit 10.24.194.0/24
access-list CONNECT seq 20 deny any                         ### note the addition of an explicit "deny any". Shouldn't need this. ACL should implicit deny at the end.
!
route-map CONNECT permit 10
 match ip address CONNECT
!


## OSPF routes showing on adjacent firewall A
somefirewall.somedomain.local# show ip route ospf
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

O>* 10.24.194.0/24 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:22
O   10.254.40.0/28 [110/4] is directly connected, em0.40, weight 1, 00:22:18
O   10.254.100.0/24 [110/4] is directly connected, em0.100, weight 1, 00:22:18
O>* 192.168.24.0/24 [110/8004] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:46





=================================================================================== 
Prefix-list case with no explicit "deny any" on end of prefix-list "CONNECT" - fine
===================================================================================

## firewall B partial config
router ospf
 ospf router-id 192.168.24.1
 log-adjacency-changes detail
 auto-cost reference-bandwidth 40000
 timers throttle spf 200 1000 10000
 redistribute connected metric 20 route-map CONNECT
 passive-interface em1
 area 0.0.0.0 authentication message-digest
!
ip prefix-list CONNECT seq 10 permit 10.24.194.0/24
!
route-map CONNECT permit 10
 match ip address prefix-list CONNECT
!


## OSPF routes showing on adjacent firewall A
somefirewall.somedomain.local# show ip route ospf
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

O>* 10.24.194.0/24 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:01:53
O   10.254.40.0/28 [110/4] is directly connected, em0.40, weight 1, 00:43:50
O   10.254.100.0/24 [110/4] is directly connected, em0.100, weight 1, 00:43:50
O>* 192.168.24.0/24 [110/8004] via 10.255.195.2, ovpns2 onlink, weight 1, 00:02:34